Microsoft Kills DigiNotar

In July, DigiNotar, a Dutch company that supplies security certificates, had their servers hacked. As a result more than 500 SSL certificates were stolen and fake ones put in their place.

Among the certificates stolen were ones belonging to intelligence services and to Google.

DigiNotar was not aware of the hack for a month and during this time the hackers used the fabricated SSL’s to spy on the Gmail accounts of 300,000 Iranians.

Although the identity of the hackers is unknown, security researchers believe the Iranian Government to be behind it as part of their attempts to listen in to the communications of activists and protesters.

As a result of this severe security breach, Microsoft yestrday updated Windows to block all SSL certificates issued by DigiNotar.

This update for Vista, Windows 7 and the much older XP means that anyone using Internet Explorer will be barred from reaching sites with SSL certificates issued by DigiNotar.

On Microsoft’s security advisory they say “Microsoft is continuing to investigate this issue. Based on preliminary investigation, Microsoft is providing an update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store”

Those in the Netherlands though will not see this update for another week

“At the explicit request of the Dutch government, Microsoft will delay deployment of this update in the Netherlands for one week to give the government time to replace certificates,” Dave Forstrom, a director in Microsoft’s Trustworthy Computing group, said in a blog post today. “Dutch customers who wish to install the update can do so by manually visiting Windows Update or following the instructions available at www.microsoft.nl once the security update is released worldwide.”

Google Chrome and Mozilla Firefox have already been updated to block all DigiNotar certificates. Google shipped a new version on Saturday while Mozilla pushed out the update today.

DigiNotar have enticed the wrath of Mozilla with this security breach. Johnathan Nightingale, director of Firefox engineering said in a blog post last Friday “This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.”

Apple is the only large browser yet to mention blocking DigiNotar SSL’s and like Microsoft they have to update its operating system. When Comodo suffered a similar attack last March, Apple again were the slowest to block.

It does seem like the writing is on the wall for DigiNotar though. The bad press received was one thing; the blocking by major browsers makes their future untenable.